Policy on Government Security

Provides direction to manage government security in support of the trusted delivery of GC programs and services, the protection of information, individuals and assets, and provides assurance to Canadians, partners, oversight bodies and other stakeholders regarding security management in the GC.
Date modified: 2019-07-01

Supporting tools


More information





This policy replaces:

View all inactive instruments
Print-friendly XML


availability (disponibilité)
The state of being accessible and usable in a timely and reliable manner.
business continuity planning (planification de la continuité des opérations)
The development and timely execution of plans, measures, procedures and arrangements to ensure minimal or no interruption to the availability of critical services and assets.
communications intelligence (COMINT)
Technical information or intelligence derived from the exploitation of communications systems, information technology systems and networks, and any data or technical information carried on, contained in or relating to those systems or networks by other than the intended recipient.
Communications Security (COMSEC) (sécurité des communications (COMSEC))
The application of cryptographic security, transmission and emission security, physical security measures, operational practices and controls to deny unauthorized access to information derived from telecommunications and that ensure the authenticity of such telecommunications.
compromise (compromission)
The unauthorized access to, disclosure, destruction, removal, modification, use or interruption of assets or information.
confidentiality (confidentialité)
A characteristic applied to information to signify that it can only be disclosed to authorized individuals to prevent injury to national or other interests.
critical service (service critique)
A service whose compromise in terms of availability or integrity would result in a high degree of injury to the health, safety, security or economic well-being of Canadians or to the effective functioning of the Government of Canada (GC).
department (ministère)
All departments named in Schedule I, divisions or branches of the federal public administration set out in column I of Schedule I.1, corporations named in Schedule II, and portions of the federal public administration named in schedules IV and V of the Financial Administration Act (FAA), unless excluded by specific acts, regulations or Orders in Council.
Deputy Head (Administrateur général)
Deputy Head as defined in section 11 of the Financial Administrtion Act, and in the case of the Canadian Forces the Chief of the Defence Staff.
electronic intelligence (ELINT)
Technical information or intelligence derived from the collection, processing and analysis of electromagnetic non-communications emissions.
emergency (urgence)
A present or imminent event, including IT incidents, that requires prompt coordination of actions to protect the health, safety or welfare of people, or to limit damage to assets or the environment.
emergency management (gestion des urgences)
The prevention and mitigation of, preparedness for, response to and recovery from emergencies.
executive (cadre supérieure)
An employee appointed to the executive group (EX-01 to EX-05 levels), i.e., director, director general, assistant deputy minister or equivalent.
foreign instrumentation signals intelligence (FISINT)
Technical information or intelligence derived from the collection, processing and analysis of foreign instrumentation signals by other than the intended recipient.
identity (identité)
A reference or designation used to distinguish a unique and particular individual, organization or device.
identity management (gestion de l'identité)
The set of principles, practices, processes and procedures used to realize an organization's mandate and its objectives related to identity.
interoperability (interopérabilité)
The ability of federal government departments to operate synergistically through consistent security and identity management practices.
national interest (intérêt national)
The security and the social, political and economic stability of Canada.
reliability status (cote de fiabilité)
Indicates the successful completion of reliability checks; allows regular access to government assets and with a need to know to PROTECTED information.
risk (risque)
The uncertainty that can create exposure to undesired future events and outcomes. It is the expression of the likelihood and impact of an event with the potential to impede the achievement of an organization's objectives.
security clearance (cote de sécurité)
indicates successful completion of a security assessment; with a need to know, allows access to classified information. There are three Security Clearance levels: Confidential, Secret and Top Secret.
security control (mesure de sécurité)
An administrative, operational, technical, physical or legal measure for managing security risk. This term is synonymous with safeguard.
security incident (incident de sécurité)
Any workplace violence toward an employee or any act, event or omission that could result in the compromise of information, assets or services.
security screening (filtrage de sécurité)
Any measure resulting in a high level of assurance that an individual can be granted specific access privileges within the context of the federal government.
situational awareness (connaissance de la situation)
Having insight into one's environment and circumstances to understand how events and actions will affect business objectives, both now and in the near future. Having complete, accurate, and current SA is essential in any domain where technological complexity, decision making, and the well-being of the public interact. Because incident management involves predictions and forecasts, SA in the area of IT requires an understanding of the interrelationships between critical services and information, safeguards supporting IT infrastructure and processes, and evolving threats.
sophisticated IT security incident (incident complexe de sécurité des TI)
An event, usually initiated by sophisticated threat actors, that is complicated to detect and recover from, causes harm to GC networks and systems, and affects the confidentiality, integrity and availability of information.
sophisticated IT security threat (menace complexe à la sécurité des TI)
An entity or entities that make use of advanced technologies and tradecraft to penetrate or bypass protective systems and security technologies without being detected.
threat (menace)
An event or act, deliberate or accidental, that could cause injury to people, information, assets or services.
vulnerability (vulnérabilité)
An inadequacy related to security that could increase susceptibility to compromise or injury.
workplace violence (violence dans le lieu de travail)
An action, conduct, threat or gesture that can reasonably be expected to cause harm, injury or illness to an employee in the workplace.
Date modified: